From owner-freebsd-net  Mon Dec 18  3:29:41 2000
From owner-freebsd-net@FreeBSD.ORG  Mon Dec 18 03:29:37 2000
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7173937B400; Mon, 18 Dec 2000 03:29:37 -0800 (PST)
Received: (from kris@localhost)
	by citusc.usc.edu (8.9.3/8.9.3) id DAA27758;
	Mon, 18 Dec 2000 03:30:54 -0800
Date: Mon, 18 Dec 2000 03:30:54 -0800
From: Kris Kennaway <kris@FreeBSD.org>
To: Robert Watson <rwatson@FreeBSD.org>
Cc: Jesper Skriver <jesper@skriver.dk>,
	"Jacques A. Vidrine" <n@nectar.com>, freebsd-net@FreeBSD.org,
	Poul-Henning Kamp <phk@critter.freebsd.dk>,
	Kris Kennaway <kris@FreeBSD.org>, security-officer@FreeBSD.org
Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h
Message-ID: <20001218033054.B27704@citusc.usc.edu>
References: <20001217220852.A20296@skriver.dk> <Pine.NEB.3.96L.1001217161038.48123W-100000@fledge.watson.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="Bn2rw/3z4jIqBvZU"
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <Pine.NEB.3.96L.1001217161038.48123W-100000@fledge.watson.org>; from rwatson@FreeBSD.org on Sun, Dec 17, 2000 at 04:12:19PM -0500
Sender: kris@citusc.usc.edu
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


--Bn2rw/3z4jIqBvZU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Dec 17, 2000 at 04:12:19PM -0500, Robert Watson wrote:
> On Sun, 17 Dec 2000, Jesper Skriver wrote:
>=20
> > - ip source and destination addresses
> > - tcp source and destination ports
> > - tcp sequence number
> >=20
> > Can we make it zap the sessions regardless of the current state ?
> >=20
> > And perhaps enable it by default ?
>=20
> I admit that I had assumed, from the commit message, that that was the way
> it would be done, because anything else would be silly :-).  If all of
> these conditions hold (and ICMP messages are correctly ignored if they are
> truncated too early to include the info (rather than wild-carding), and IP
> + TCP options are correctly handled without alignment problems), then I
> see no reason not to turn this on by default.

I agree.

Kris

--Bn2rw/3z4jIqBvZU
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6PfVtWry0BWjoQKURAlRDAKD0fCOfU1WPBQY7bEaXd0Iwygf7egCfbdHu
hFwh5Qkru57iUsdakiYr5jU=
=xRxf
-----END PGP SIGNATURE-----

--Bn2rw/3z4jIqBvZU--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message